mm13de_tech en.pdf - Fabian Blechschmidt

ikonoshirt.de

mm13de_tech en.pdf - Fabian Blechschmidt

Web- and Magento-Security

Fabian Blechschmidt

& Bastian Ike

Dienstag, 4. Juni 13


Dienstag, 4. Juni 13

Security


Who we are

Bastian Ike

2006: Security

2011: Certification

2012: Talks at Imagine,

Meet-Magento, Developers

Paradise

Fabian Blechschmidt

2011: Certification

2010: Security-Extensions

2013: Talk at Imagine

Dienstag, 4. Juni 13


Security? Again!?

• Insecure community modules

• attackable payment gateways

– PayPal

– GoogleCheckout

– Moneybookers

Dienstag, 4. Juni 13


Security? Sure!

• Plan your software

• Think about it from the beginning

• Think first, code afterwards

Dienstag, 4. Juni 13


Conceptionall problems

• insecure object references

• blind trust in third party extensions

• open redirect

Dienstag, 4. Juni 13


Dienstag, 4. Juni 13

Problems in PHP


Problems in PHP

strcmp(”foo”, ”bar”) !== 0

strcmp(Array(), ”something“) === NULL

md5(”240610708”) == ”0e462097431906509019562988736854”

md5(”240610708”) == ”0”

=== instead of ==

Dienstag, 4. Juni 13


Dienstag, 4. Juni 13

Magento


Magento security issues

• 3x XSS (1x persistent)

• 2x File Disclosure (get.php, Zend_XmlRpc)

• 3x Attacking the API

• Magento 2 alpha: write files

Dienstag, 4. Juni 13


unserialize() in Magento 2

• unserialize() calls:

__wakeup()

__destruct()

unserialize($_COOKIE[”some_cookie”])

Mage_Core_Model_Design_Fallback_CachingProxy::

__destruct():

$this->_filesystem->

write($filePath, serialize($section['data']));

Dienstag, 4. Juni 13


Dienstag, 4. Juni 13

Impact


Impact

• backdoors

• data theft

• proxy/sending spam

Dienstag, 4. Juni 13


Dienstag, 4. Juni 13

precautious measures


Schutzmaßnahmen

• prevention instead of patching

... ordo you detect fast enough an attack?

• think like an attacker

• check third party code

– have an eye on it! It doesn‘t hurt.

• think before you code

Dienstag, 4. Juni 13


Frameworks against mistakes

• template engine (Twig) instead of XSS

• PDO instead of MySQL injection

• TLS (HSTS) to prevent MITM

... but still no 100% protection :-(

Dienstag, 4. Juni 13


SSL

• SSL in the backend

• send HSTS header

• NO FTP! (use SCP instead, it is secure)

• correct SSL certificates for customers

• IF self-signed certificates, implement your

own CA

Dienstag, 4. Juni 13


Dienstag, 4. Juni 13

Conclusion


Thanks

Bastian Ike

@b_ike

Fabian Blechschmidt

@Fabian_ikono

Dienstag, 4. Juni 13

More magazines by this user
Similar magazines